Don’t Acquire a Company Until You Evaluate Its Data Security

Executive Summary

In M&A, acquiring companies routinely conduct a comprehensive appraisal of the target company’s assets, liabilities and commercial potential. This article proposes that acquirers do an equally rigorous evaluation of the target’s data security.

The Met Museum/HBR Staff

When Marriott International acquired Starwood in 2016 for $13.6 billion, neither company was awareof a cyber-attack on Starwood’s reservation system that dated back to 2014. The breach, which exposed the sensitive personal data of nearly 500 million Starwood customers, is a perfect example of what we call a “data lemon” — a concept drawn from economist George Akerlof’s work on information asymmetries and the “lemons” problem. Akerlof’s insight was that a buyer does not know the quality of a product being offered by a seller, so the buyer risks purchasing a lemon — think of cars.

We are extending that concept to M&A activity. In any transaction between an acquiring company and a target company (seller), there is asymmetric information about the target’s quality. While managers have long understood this concept, recent events shed light on an emerging nuance in M&A — that of the data lemon. That is, a target’s quality may be linked to the strength of its cybersecurity and its compliance with data privacy regulation. When an acquirer does not protect itself against a data lemon and seek sufficient information about the target’s data privacy and security compliance, the acquirer may be left with a data lemon — a security breach, for example — and resulting government penalties, along with brand damage and loss of trust. That’s the situation Marriott is now dealing with. The company faces $912 million in GDPR fines in the EU and its stock price has taken a hit. The trouble doesn’t end there. According to Bloomberg, “the company could face up to $1 billion in regulatory fines and litigation costs.”

So what to do about data lemons? You can simply make the deal anyway, especially if the value created by the deal outweighs the risks. Or you can take the Verizon path and reduce the valuation post-acquisition. We propose a third option: due diligence not just on the financials of the target firm, but also its regulatory vulnerabilities during the M&A discussion process. The idea is to identify potential data breaches and cybersecurity problems before they become your problem.

Finding the Problem Before You Own It

In this approach, we borrow from established compliance standards intended to safeguard against bribery and environmental issues. The acquirer would investigate the target firm’s past data breaches and require disclosure of prior data-related audits and any pending investigations worldwide. The acquiring firm would also conduct a review of the target’s processes and procedures regarding information security — like acceptable use of data, data classification, and data handling. The acquirer should also evaluate target firm compliance with cyber security frameworks from NIST, CIS, ISO, and the AICPA.

If some risk is discovered during the due diligence, an acquirer should engage in a more intense audit of the target firm’s policies. For example, does the target adheres to any sort of data standards or certifications? (Examples include Graham Leach Blileyand HIPAA.) Finally, due diligence should also include a review of the data-privacy requirements in third-party contracts.

Also note that documents that change hands between the target and acquiring firms can themselves become risks for “information spillage” — the unintended release of sensitive data. Hence both the target and acquiring firm are particularly vulnerable to attack by hackers during the M&A due diligence process, sometimes via a hack of third parties such as banks, law firms, accounting firms, or third-party vendors involved in M&A. It’s important to increase the security of such information and review the practices of third parties to reduce such risk.

Once You’ve Acquired a Data Lemon

Even if you’ve done all the above, you may still acquire a data lemon. What should you do then? At this point, it is essential to set up an incident response strategy to address risks, including both those that are legal or regulatory or customer-facing in nature. Such an incident-response strategy needs to be quick and decisive, adopting a multi-disciplinary approach, and the board must be brought in. Management of public relations and outreach to policymakers will have to be transparent. These are just the immediate steps. The acquiring firm needs to review the practices that led to the breach and identify measures to improve the data privacy compliance program going forward.

The more acquirers are proactive and address this issue through effective self-regulation, or through an industry-based peer-driven regulation, the less likely more severe government regulation will be put in place as a response.

Chirantan Chatterjee is the ICICI Bank Chair in Strategic Management and Associate Professor in Business Policy and Economics at the IIM Ahmedabad, India, also a 2018-2019 Campbell and Edward Teller National Fellow at Hoover Institution, Stanford University.

D. Daniel Sokol is the UF Research Foundation Professor of Law at the University of Florida Levin College of Law.